Nine tools, one shared blind spot

Researchers reported in July 2026 that nine of the most widely used AI coding tools — Cursor, GitHub Copilot, Gemini CLI, Windsurf, and others — share a common failure mode that attackers can exploit without ever phishing, socially engineering, or targeting a specific victim. The technique is called HalluSquatting, and it flips prompt injection on its head: instead of pushing malicious input at a model, attackers wait for the model to pull it.

Here's the mechanism, per the report: when these coding agents are asked to clone a "trending" repository or install a skill/package, they frequently hallucinate plausible-but-nonexistent names. This isn't a new observation — LLM package hallucination has been documented for a couple of years now in the context of pip install and npm install suggestions. What's new is the scale of the exploit surface. If an attacker can predict the hallucinated names an agent is likely to generate, they can pre-register those names on GitHub or a package registry, seed them with malicious payloads — reverse shells, per the researchers — and simply wait. Every coding agent that hallucinates that name and blindly clones or installs it becomes an infected node. No spear phishing required. This is a botnet-assembly technique that scales with the popularity of the tool, not with the effort of the attacker.